528/68 Wednesday, December 17, 2025
Cybersecurity researchers have identified a new information-stealing malware called “SantaStealer,” which is being advertised for sale on Telegram channels and underground hacking forums. The malware is offered under a Malware-as-a-Service (MaaS) model and promotes its ability to operate primarily in memory to evade detection. However, in-depth analysis by Rapid7 researchers reveals that SantaStealer is largely a rebrand of an earlier project known as “BluelineStealer.” Despite claims of stealthy operation, leaked samples show notable operational security (OpSec) flaws on the developer’s side, making the malware easier to analyze and detect than advertised.
From a technical standpoint, SantaStealer is designed to be easy for attackers to deploy, with subscription pricing starting at $175 per month. The malware consists of 14 modular components and targets a wide range of sensitive data, including browser passwords and cookies, credit card information, and accounts from platforms such as Telegram, Discord, and Steam. Its primary focus is on cryptocurrency wallets, and it also claims the ability to bypass Google Chrome’s newer App-Bound Encryption protections. Additional capabilities include taking screenshots of infected systems, with all collected data being compressed and immediately exfiltrated to the attacker’s servers.
Although SantaStealer has not yet been observed in large-scale campaigns, researchers warn that it is likely to be distributed through ClickFix attacks, bundled with pirated software, or delivered via phishing emails. Rapid7 advises users to exercise heightened caution when clicking unknown links or downloading files from untrusted sources, and to avoid running unverified extensions or code, in order to reduce the risk of sensitive data theft.
